GDPR, CCPA, AND COOKIE LAW: WHY ARE THEY IMPORTANT FOR YOUR MOBILE APP

Spread the love

Your mobile app must have a responsive interface, an intuitive user experience, and the right features. However, there is one more thing to consider – a data privacy policy, including consent collection on mobile devices.  

Privacy is a sensitive subject, as we all know. There are different privacy laws in different countries – GDPR, CCPA, LGPD, and EPrivacy regulations are some of the most well-known. In terms of mobile consent collection, some regulations are stricter than others.  

Globally, data privacy has increasingly become a top priority for many countries and regions due to an increasing reliance on digital products and services. Businesses are expected to comply with robust and enforceable data privacy regulations in many regions as a result. Noncompliance with these regulations can not only have serious financial consequences but also have long-lasting and significant effects on public trust and your organization’s reputation. 

This article discusses mobile consent and various privacy regulations, including how to remain compliant. 

GENERAL LEGAL REQUIREMENTS 

Major Components 

As per the majority of laws and legislation, if you’re handling personal information, you must make necessary disclosures related to your data processing operations through a comprehensive privacy policy, make sure that there are efficient security measures for protecting personal data privacy and implement measures for receiving user mobile consent or withdrawal of sharing their personal data. 

This privacy information must be up to date, clear, and easily available throughout the website or app. Some component needs may change based on the type of processing activity, area, user age or business type. It is therefore important to note that, in addition to the fundamental issues stated below, you may have more responsibilities based on your applicable law. 

Disclosures 

As per general laws users need to be informed of: 

  • Website/app owner details 
  • The effective date of your privacy policy 
  • Your notification process for policy changes 
  • What data is being collected 
  • Third parties are and what data they are collecting 
  • Their rights regarding their data. 

Depending on the applicable law, you may have to make other disclosures to users, other parties, and the supervisory authority. 

The California Consumer Privacy Act is one such statute (CCPA). Users must be warned under the CCPA, in particular, of the risk of their data being sold (think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure must be displayed from the site’s homepage and include an opt-out (DNSMPI) link. 

Consent 

Consent in this context refers to an individual’s informed voluntary agreement to take part in a specific event or process. 

In general, users must be able to decline, withdraw, or give consent (depending on regional law). Consent can be obtained using any mechanism that requires the user to undertake a verifiable & direct action, such as checkboxes, text fields, toggle buttons, sending an email in confirmation, and so on. Here, consent is an individual’s informed & voluntary agreement to take part in a given activity or conduct. Users should be aware of the following: 

  • Apps user information; 
  • The date your privacy policy went into effect; 
  • Your policy change notice procedure; 
  • What information is being gathered; 
  • Third-party identification and the types of data they are gathering 
  • The responsibilities they have to their data. 

Deciding your law of reference 

The laws of a particular region apply only if: 

  • You base your operations there; or 
  • You use regional processing services or servers.; or 
  • Your service targets users from that region 

This means that whether you live in the region or not, regional regulations may apply to you and/or your business. As a result, it’s always a good idea to approach your data processing activities with the most stringent available regulations in mind. You may learn more about which laws apply to you by clicking here. 

REGION-SPECIFIC REQUIREMENTS  

Source 

US LAW 

There is no single comprehensive national body of data privacy rules in the United States; nevertheless, there are many state laws, industry recommendations, and particular federal legislation in effect. Because online site/app activity is rarely limited to a single state, it is always advisable to follow the most stringent legal legislation. With this in mind, the state of California has created the most rigorous data privacy law framework. The California Online Privacy Protection Act (CalOPPA), enacted in 2004, was the first state law to make privacy policies mandatory, and it applies to anybody or any organisation whose website or app collects personal information from California residents. 

In addition to the standard disclosures outlined above, CalOPPA requires you to: 

  • Clearly publish your privacy policy on the homepage of your website/ app 
  • Include in your privacy policy a description of the process by which users can request changes to personal data (if such a process exists) 
  • how “Do Not Track” requests are handled by you must be included in your privacy policy statement 
  • Notify affected users when there are security breaches that affect their data. 

In terms of consent, US law generally demands that you provide users with a clear way to withdraw consent (opt-out). However, other restrictions apply in circumstances involving “sensitive data” (e.g., health details, credit reports, student database, personal information of children under the age of 13). In such circumstances, a verifiable opt-in action, such as checking a box or taking another affirmative action, is needed. 

What happens if you don’t follow CCPA? 

For intentional violations, app publishing companies can face a penalty up to $7500 however for unintentional violations, they can face up to $2500 if not resolved within 30 days of being given the notice of such violation. 

Special Care Regarding Children 

If your service collects, uses, or discloses personal information from children under the age of 13, specific rules apply to those data processing activities. 

The Children’s Online Privacy Protection Act (COPPA) is a federal law in the United States that was enacted to better protect the personal data and rights of children under the age of 13. 

If you run a website or online service aimed at children under the age of 13, or if you have actual knowledge that you are collecting personal information from children under the age of 13, you must notify parents and obtain their verifiable consent before collecting, using, or disclosing the information, and you must keep the information collected secure. 

“Verifiable” means utilising a way of obtaining consent that is difficult for a child to fake and is demonstrably likely to be provided by an adult (e.g., government-issued ID of parents). 

What exactly is “personal information” about children? 

As per the COPPA Law, “personal information” refers to the child’s: 

  • Name, ID information (e.g., social security number) 
  • Location (physical address, geolocation data or IP address) 
  • Contact Details (phone numbers and email addresses) 
  • Device identifiers 
  • Media having any kind of child’s data (e.g., image, voice, videos) 

THE EU 

GDPR 

So, technically, the European Union (EU) is not a single country. But, given that the General Data Protection Regulation (GDPR) is regarded the gold standard when it comes to data protection legislation, and given that it applies to every country in the EU, it’s difficult not to put it at the top of our list. Basically, GDPR specifies how personal data should be lawfully processed (how it’s collected, used, protected or interacted with in general). 

When it comes to consent, the GDPR is stricter than US standards. Consent must be “explicit and freely provided” under the GDPR. This means that the technique for obtaining consent must be straightforward and require a clear “opt-in” action (pre-ticked boxes and similar “opt-out” procedures are expressly prohibited by the rule). 

Records of consent should at least have the following information: 

  • The user’s identity who is giving consent; 
  • When did they consent; 
  • What disclosures were made by them at the time they consented; 
  • Methods used for obtaining the user’s consent (e.g., newsletter form, during checkout etc.); 
  • Whether they withdrew the consent or not 

What happens if you don’t follow GDPR? 

SOURCE 

Noncompliance and data breaches under the GDPR can result in fines of up to 20 million euros or 4% of the infringing company’s annual global turnover, whichever is higher. 

Special Care Regarding Children 

Consent is one of the legitimate bases for processing children’s data under the EU GDPR. If you use this ground to process the data of children under the age of 13, you must obtain verified consent from a parent or guardian, unless the service you provide is preventative or counselling. You must make reasonable measures (using available technology) to verify that the person giving consent is the child’s legal guardian. Furthermore, if you intend to target children over the age of 13, you must provide them with clear and age-appropriate privacy notifications so that they understand what they are agreeing to. 

EPrivacy DIRECTIVE (COOKIE LAW) 

Because employing cookies involves both the processing of user data and the installation of files that could be used for tracking, it is a key source of worry when it comes to the privacy of user data. To address this concern, the EPrivacy Directive (or Cookie Law) was enacted. 

Organizations that target EU users must inform them about data collection operations and give them the choice to choose whether or not to collect data. This implies that if your site/app (or any third-party service utilised by your site/app) utilises cookies, you must get valid consent before installing those cookies, unless they fall into the category of exempt cookies. 

Cookie-related requirements 

As per the laws, you will need to: 

  • A clear & understandable cookie policy; 
  • show a simple & visible cookie banner at the user’s first access;  
  • Before gaining user consent, block all non-exempt cookies (and release them only after informed consent has been provided). 

This requires the implementation of a valid cookie policy as well as a cookie consent management system. 

Provide a cookie policy 

The cookie policy must consist of following details: 

  • clearly show the kind of cookies installed (e.g., statistical, advertising, etc.); 
  • describe in detail the reason of cookie installation 
  • Indicate all third parties that have or may install cookies, as well as a link to their individual policies and any opt-out forms (where accessible); 
  • be available in all languages in which the service is offered. 

Show a cookie banner at the user’s first visit 

SOURCE 

As required by the law a cookie banner must: 

  • Inform users about any cookies used by your app; 
  • Before running the cookies, obtain the user’s permission (and clearly specify which action will be consent); 
  • be visible enough to draw attention to itself 
  • link to a cookie policy that describes in full the purpose of the various types of cookies and the third-parties involved. 

Block non-exempt cookies before obtaining user consent 

Because informed opt-in or prior consent is necessary under the GDPR and EPrivacy (Cookie Law), you must ensure that you have in place a mechanism that blocks non-exempt cookies until the user has given consent via an affirmative action such as clicking a “Accept” button. Except for exempt cookies, no cookies can be installed prior to consent. 

Furthermore, if you monetize your app or its content with third-party ads, you should consider meeting industry standards. Failure to do so may result in restricted ad network access and, as a result, a reduction in ad revenue. 

Exemptions to the consent requirement 

Some cookies are exempt from the consent requirement and hence are not subject to preventive blocking (but you must still tell users about your cookie use – see caution box below). The following are the exceptions: 

  • Technical cookies are strictly required for the service to be provided. Preference cookies, session cookies, load balancing, and so on are examples of these. 
  • Statistical cookies that are maintained directly by you (rather than by third parties), as long as the data is not used for profiling * 
  • Third-party statistics cookies that are Anonymized (e.g., Google Analytics) * 

*This exemption might not be relevant for all regions and is thus governed by specific local regulations. 

PRIVACY POLICY 

Most countries’ laws require you to disclose information about your privacy policy and data-processing operations. Mobile apps are no exception: they must publish a privacy policy (and, if they make use of cookies and similar tracking technologies, a cookie policy). 

To be compliant, your privacy policy must be up-to-date; comprehensible; understandable; straightforward; and easily available throughout the app. 

Depending on the applicable law, you may also have to make other disclosures to users, third parties, and the supervisory authority. 

Without a privacy policy, your app has risk of  facing app store rejection. 

Apps must have a legitimate privacy policy and obey applicable law in order to be accepted in the Apple App Store and Google Play. Failure to do so can result in hefty fines, app store rejection, lawsuits, and a negative impact on the credibility of your product. 

IOS APPS 

For all new apps and app upgrades, App Store Connect requires a privacy policy. Article 5.1 of Apple’s App Store Review Guidelines summarises Apple’s privacy policies (and grounds for rejection where these conditions are not met). Article 5.1.1 on Data Collection and Storage goes on to say: 

Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and in an easily accessible location within the app. The privacy policy ought to expressly and clearly: 

  • Identify what data the app/service collects, how it collects, and how it is used. 
  • Confirm that any third party with whom an app shares user data (in accordance with these Guidelines), such as analytics tools, advertising networks, and third-party SDKs, as well as any parent, subsidiary, or other related entities that will have access to user data, will provide the same or fair user data protection as stated in the app’s privacy policy and required by these Guidelines. 
  • Explain its data retention/deletion policies and how a user can revoke consent and/or seek data deletion. 

Furthermore, your app’s privacy policy link or content will only be modifiable when you submit an updated version of your app. 

 Read more about Privacy Policy for iOS Apps

ANDROID APPS 

Google Play, on the other hand, simply requires that a link to a data privacy policy be visible on your app’s store listing page and within your app if: 

  • Your app manages personal or sensitive user data, as outlined in the user data privacy policies (such as personal information, payment and financial information, authentication information, contact data, mic and camera sensor data, and sensitive mobile data). 
  • Your app has been accepted into the “Designed for Families” program (with or without access to sensitive permissions or data). 

However, it is important to remember that, platform requirements aside, privacy notices are legally needed under the great majority of legislations, particularly California’s CalOPPA, CCPA, and the GDPR. 

Furthermore, if your Android app handles personal data for reasons unrelated to its operation, you must make extra, easily visible disclosures about this usage and obtain user consent when necessary. 

Read more about Privacy Policy for Android Apps. 

HOW TO USE SWING2APP TO MAKE YOUR NO-CODE APP COMPLIANT IN MINUTES 

With Swing2App, you can create no-code apps without worrying about all these laws, as we handle everything for you.  

Yes! You read that correctly. A no-code app can be easily created using Swing2App, which is fully compliant with both the App Store and Google Play Store privacy policies.   

Swing2App automatically updates your app to keep up with the latest policies and guidelines. If you create your app without it, you have to update it regularly to stay up-to-date.  

It is, however, an expensive and time-consuming process because a developer has to review all guidelines for every update of Android and iOS. Furthermore, you must carefully review the privacy policies, otherwise, you may have your app rejected.  

There is no need to worry! We provide Swing2App support for all app store guidelines updates in addition to ensuring compliance with privacy policies. With Swing2App, your app is prepared for future contingencies as well!   

Please feel free to contact us if you are interested in creating law-compliant apps or wish to take your app to the next level. The professionals at our company will provide the finest law-compliant app services and help you in improving your product without a doubt!   

Leave a Reply